interview with a private investigator

Recently a commenter here, Seejay, mentioned that she used to be a private investigator, and I wanted to know more. She kindly agreed to be interviewed, and here’s our conversation.

So tell us a bit about the work you did.

My training and background is in Internet investigations and computer forensics. I initially got into the field when I acquired a cyberstalker back in the mid 90s. He was using anonymous remailers which made it impossible to trace and the local police had no idea how to deal with it outside of telling me to “stay off the internet.” I also was told to change my email address but without any other advice on how to protect it, it was pretty useless. This spurred my interest in wanting to actually do something to get involved with computer crime. So when I went back to university, I focused on studying law and forensics as a minor to my computer science degree.

While I was in school, I got involved helping victims of online harassment, primarily tracing emails and websites, identifying harassers, and providing support and guidance on what to do when harassed online … essentially all the support I didn’t have when I had my cyberstalker.

When I graduated, I wound up being hired by a private investigation company as a computer forensic analyst. I was licensed as a PI but most of my work was focused on investigating websites specializing in satellite piracy and hacking. I went “undercover” as a participant in these communities, purchased software and hardware and communicated with other members, while learning the names and trying to uncover the identities of the major players and site owners. I used publicly accessible and industry specific tools and databases to look up information and identify people and hidden websites. When there were busts, I would participate in raids and be given hard drives to image and pull data from. This usually gave me access to message forums and private emails to other pirates and hackers in the satellite piracy scene. The site owners would also give us their financial records for anyone that had purchased software and hardware from them. This was all done as bargaining tools to lower the fines and charges being levied against them by the satellite companies for intellectual property theft. This resulted in a lot of people in general getting fined by the companies as well.

I did some undercover work that involved hidden cameras and surveillance, but it wasn’t that exciting. Clip the pager with the camera onto your purse, put it down on the counter with the pinhole facing the direction you want it to be in, record the transaction. 99% of the people you’re buying things from won’t even think twice, unless you’re buying something super illegal. I was buying tanning products that weren’t supposed to be distributed in Canada due to some regulations. It made more sense to send me instead of the male PIs.

That sounds exciting to me, for the record.

After the PI company, I moved on to work at a large financial institute in the fraud division. Our division focused primarily on fraud committed within the company (done by employees) but we also saw our fair share of fraudulent checks, card skimming devices, customers who let their kids use their card then claimed it was stolen when the kid took out all the cash (we’d pull the ATM video to prove it), and a bunch of other things.

I was involved in some interesting cases, like an employee who sent a harassing letter to another employee’s wife (I proved it was him when I pulled up a copy of the deleted Word doc on his computer, plus added bonus of finding a link in the log file of his browser showing a mapped out route to the victim’s home address).

That all being said, unlike what they show you in CSI, there’s no flashing characters or fancy graphics on the screen. A lot of what I did involved staring at long lines of characters and strings and looking for patterns. Or sometimes throwing random search strings out and hoping to find something that hit so I could start looking *somewhere*. Or sometimes it’s just knowing how to search effectively, and knowing how to narrow the search terms down (such as being able to connect a pirate with his current online screen name to the screen name he used 10 years ago when he was 14 in an obscure instant messenger database, which also wound up being connected to his real name).

What did you like best about the work?

I would get a thrill out of finally making a connection or finding that hidden piece of information after hours (or even days) of searching. It was like finally getting that missing piece of the puzzle to snap into place and there’d be a rush. There’s also the challenge of digging into piles of information and trying to make sense of it. There’s a big appeal, at least to me, about finding ways to navigate through the morass and eke out the small little details that so many others would overlook but I would either grab onto or at least file away as “might be important later” and then remember it when something else would connect to it.

And when I wasn’t saving big companies money (which is ultimately what piracy and fraud investigations do), some of the work I did helped people, which was one of the major driving factors in why I wanted to be in the field in the first place.

What was the most challenging part of it?

Part of it was staying motivated through the sheer drudgery of digging through so much data. While that can be fun at times, it can also make your eyes glaze over then cross when you’re literally staring at numbers and data that looks nearly identical, trying to find something that jumps out at you. One case I had involved stolen social security numbers and I spent 20-some hours running them through different queries and databases, trying to find possible hits on them, then if I did, trying to determine if they were used under false pretenses or if they were legitimately used by the real owner.

I also found myself in a weird limbo state where I had a hard time staying excited about fraud investigations, as most of the work was benefiting a faceless company, while I knew my interest was more towards helping victims directly … yet I was also burning out emotionally and mentally from working with victims (in the cyberstalking field). I was able to maintain some form of emotional detachment but it was hard and I did burn out after 10 years.

What didn’t you know when you started that ended up surprising you?

In a sense, I knew how incredibly dumb people could be with their security, with decisions they’d make, how bad people were with information online (I’ve been online since the BBS days in the early 90s) but coming face-to-face with some of it was just mind-boggling. I couldn’t believe how people would risk their jobs and their livelihood over some incredibly stupid stunts. (Sending nudes over work email, really?? Given the security measures and legal requirements for financial institutes, it’s not a far stretch to assume email is captured and saved.)

It’s also surprising how much information is out there if you know how to look for it and if you have the skills to join the dots. Almost everyone knows how to use a search engine but it’s a talent to know how to search well, how to dig deep, how to put together effective search terms, use multiple search engines (and even other data sources that many people don’t think or know about), and then dig through the results looking for those little nuggets to put a whole picture together. Sometimes you can’t, because the information doesn’t exist or your target did a good enough job at hiding themselves, but other times there’s just enough breadcrumbs to lead up to enough information to get that figurative smoking gun.

So I actually have a personal interest in part of this because I had a cyberstalker at one point. It was terrifying, the emails were all sent using anonymous remailers (and a couple of physical letters sent to my house), and I had no idea what to do. What *should* someone do if that’s happening?

Interesting, because a lot of what you describe is similar to how my cyberstalker behaved too! I couldn’t find out who it was, I had one suspect based on the anonymous remailer “hiccuping” and including his email address by not stripping it out (although it could be argued that it was manually entered to throw me off the trail), but it was someone who had been pursuing me romantically, had been rejected, and had done enough creepy, real life stalkery things to ring my alarm bells. I received a few anonymous notes on my car as well, which was scary as shit.

For most common every day users, what I would have advised was essentially “disappearing” off the Internet: change your email address, setting up a public and a private one; change your screen names; lock up your security settings on your social media accounts; essentially go dark on any of the locations where your cyberstalker knows you are and make it nearly impossible to see your online activity. And for the love of Peter, Mary and Joseph, stop responding to them! A lot of cases I dealt with were arguments that just escalated until someone was willing to take a harder virtual punch than the other could tolerate, or no one was willing to let the fight go without getting in the last word (so in essence, it was a virtual mud-slinging match). If I saw that someone had tried to either pull away, deescalate or hadn’t actually instigated any sort of mud-slinging fight though, I would then look into tracing and reporting emails and websites if it was in violation of Terms of Service.

In a lot of cases, cyberstalkers/harassers really just want to get a reaction so if they don’t get it or can’t reach their intended target, they’ll stop poking the victim and move on. If there’s a consequence to their behaviour (such as getting their email address or ISP account shut down for violations), that sometimes also got them to stop. A lot of the time I had to coach victims towards a realistic goal: it might not seem fair (that they had to make changes to their online behaviour, that the harasser got away with their actions), but what was realistic to accomplish… to get the harassment towards them to stop. And sometimes that’s a bitter pill to swallow.

With the more public/popular websites online though, it definitely gets a bit murkier. You can’t just disappear, you can’t start filtering all your email or shut it off.

Did you ever feel in danger doing this work?

I would say for the bulk of it, not really. In both my positions, I was never right at the forefront of the investigations so no one saw me as a threat. When I was online, I always posed as a male with a completely different screen name that was never associated with me in real life. One of the key tricks to posing as a “fake person” is to try to stay as true to your real identity as possible because it means you’re less likely to trip over a lie and you won’t sound fake. I did a short two-week “listen and learn” role at a company and I used a shortened version of my real first name (different enough that it actually wouldn’t connect to my real name, but similar enough that I’d respond to it) and the very common last name of my partner that I was living with. I spoke of hobbies that I had from a few years back that I wasn’t involved with anymore so I knew what I was talking about, but wasn’t in any groups or communities locally.

What’s a “listen and learn”?

I was basically working undercover as a new employee and trying to find out information about some thefts that had happened for machine parts. One of the problems with that though was I couldn’t start asking around about it, since I was new and it would make it clear I’d been dropped in to investigate. I was told to essentially stay quiet, hang out in the break rooms, befriend some people (as best you can in two weeks) and eavesdrop on conversations. They wanted me to find out who was dissatisfied and angry with the company (the stolen machine parts were used to, ahem, make cookies which were left in the breakroom to make a statement … someone was *clearly* pissed off).

Do you feel like doing this work has made you look at people differently long-term, and if so, how?

100% yes. I know I was definitely far more naive and expected the good out of people first, and would wait to have the bad shown, and I think I still carry that optimism a lot, but there’s always that sense of jadedness that kicked in. I went into forensics to help people, but I wound up working for corporations and saving companies money (intellectual property, piracy, and fraud for a financial institute). I only helped people through a volunteer job and after 10 years, hit a burn out phase so badly that when I got a case in that was a genuine victim (not a two-way trolling fight between people slinging mud back and forth), I read through it and said out loud “I don’t care.” I couldn’t drum up one ounce of sympathy anymore … and that definitely scared me because that’s not who I want to be.

I don’t know if I’m going to get back into forensics. My certification is expired, as an immigrant I can’t work in the U.S. public sector easily, and the private sector is mostly in the same areas I’ve covered, which doesn’t have the same emotional satisfaction. Once I’ve finished grad school and figured out my immigration issues, I might revisit it, but it’ll also depend on how much I can still care about dealing with the people in it. It can be really hard to emotionally distance yourself, but at the same time you don’t want to be blaming people for the messes they wind up in. I never did blame anyone, sometimes you wind up in a situation that you don’t even realize is a rabbit-hole of a mess and you’re going down it and taking the bait and it blows up in your face, but it’s really hard to bite your tongue when you’re trying to help guide someone out and they’re fighting you every step of the way too. I think that’s probably the biggest thing that burned me out, having to deal with people lashing out at me when they’d asked for help, but then didn’t want to follow the advice I’d given them because they didn’t like what they’d heard.

I guessed it was used as a mold for the cookie shapes.
Oh, so we’ve got plates of Snowman cookies, Christmas tree cookies…and wait, wait…are those cookies in the exact shape of our missing Plasma Analyzer?

I had to admit when I was told someone used machine parts as cookie cutters to make cookies and left them in the break room, I nearly peed myself laughing. That was… so passive aggressive and mean and horrible but creative!

I loved Usenet! A funny thing about the stalking was that another newsgrouper was so concerned about me that he called from Australia to make sure I was okay. Wherever you are, Craig, you’re lovely :-).

I was an active member on one newsgroup for a book/game series that had authors actively participating and when we got a troll (that I didn’t know how to handle so of course I was responding and retaliating at the time), he just upped his harassment of me and everyone else, and then he started targeting the authors. When he started posting their street addresses and phone numbers to the group, the book/game company that employed them ordered them all to withdraw from the newsgroup because of the threats…. so we lost at least 5 or 6 authors that we’d been interacting with directly because of him. That was the start of the downward end of the newsgroup if I recall too.

Women are really getting burned by the disconnect between law enforcement and the Internet. Doxxing and cyberstalking and horrific death threats (and worse!) over male fragility, anger over women have voices, and women being in stereotypically male spheres like sports and video games. It’s pretty horrific.

I tried to donate to a group that does forensics for victims of cyber threats, but they don’t take money. (Dunno why, but glad they’re well funded.)

My fantasy is that some internet vigilante will start researching cyber brutes and publish the horrible things where their communities –
moms and sisters and pastors etc – can see the horrible things they do and say anonymously to terrorize women. It seems like the threat of one’s worst thoughts being outed publicly would help clamp down on many of the offenders. Not sure if this is legal (which would be ironic if it wasn’t, given that cyber harassment is ignored by cops routinely).

My colleague was misquoted in the Wall Street Journal, which led to some real MRA wingnuts cyberstalking her, threatening to publish her home address, and mailing her graphic death threats (full of torture and sexual violence) for two years. She still sometimes get splenetic email hate bombs. The police have done nothing. It’s maddening.

(I think it would be legal to out people’s bad behavior, as long as the outing is accurate. That’s kind of the premise of Hollaback!NYC (and its progeny), which are still active.)

My son did a degree in computer forensics, not something you hear about a lot, but I believe everyone in his program was hired immediately out of school. I have a feeling this degree field will, unfortunately, be one that continues to grow.

This was interesting to read. I’m in a similar field currently (internal investigations for a financial institution) doing a lot of the same types of things. I can confirm, doing the job has made me a lot more cynical and distrusting of people, which I have to work to compensate for when off the clock. But everyday is usually something new (and more often than not interesting). Plus, there is something incredibly satisfying about sitting in federal court when someone is sentenced to prison as a result of you 12 months of work!

That said, those little bits of oddness add spice. When I first started at this job, I got spontaneous, impromptu aerobatics demonstrations from F-22 fighter jets, and those suckers play fast and loose with the laws of physics. Nice break from staring at a monitor, typing.

I recently had a friend send me a contact that apparently is one of those “get it done anywhere in the world” people. This contact was able to extricate my friend’s friend and her family from a country in the middle of a coup.

The contact is carefully saved but I cannot begin to imagine when I might find myself in a situation needing that level of assistance! Good to have just in case, I guess. Gulp …

See, for me, the phrase “private investigator” just conjures up rain falling from a cloudy sky and swirling cigarette smoke and mysterious dames with secrets and “it’s Chinatown, Jake,” no matter how much I know that most of the job is sitting at a computer, exactly the same as I’m doing now, typing and clicking. I just can’t shake it.

I once spent 10 hours tracing emails to figure out where it leaked out of the financial institute. 10 hours to find out one email that was sent to 6 people was forwarded to 2000+ people and never did figure out who sent it to the target.

This and some of the fraud stuff you mentioned is roughly what one of my exes does now (he’s a CI for a federal agency). Also, when he was on surveillance, he would sometimes call me because it was so boring he didn’t want to fall asleep.

Ha!
Once, at the non-profit job, I was tasked with finding potential donor info and I unearthed a secret production company that belonged to a major A-lister buried within a film studio. It was well hidden to avoid people like me (heh heh). This was pre-social media, too. I was pretty proud of myself for that one.

Fascinating interview.
Over the years I had two stalker situations. One was a person with whom I had been in a relationship and who sought revenge and/or continued contact. That one was fun because the other person took the unusual step of purporting to be the victim and that I was the stalker (to the point of going to police about it) but made critical errors that proved it couldn’t be me. The other never was known and was a minor incident; fortunately I moved from the location where it was happening soon after.

While going through a rather contentious divorce I had to do similar steps plus totally cut a group of friends from my life because an unknown member of that group was keeping my former spouse informed of what I was doing, including disclosing things shared in confidence, etc.

I had worked a stalker case where a “victim” came to me and reported harassment but once I checked into it, the harassment was retaliation from the real victim out of frustration because the first person was actually a full on harasser of multiple people. It wound up being a real crazy case to work.

And yeah, it sucks to have to distance yourself but sometimes that’s the only way to do it since it’s not always realistic to get the perpetrator to stop their behaviour. :(

There were two recent episodes of the Reply All podcast (“The Skip Tracer,” parts 1 and 2) where they followed someone doing similar work. Also fascinating. Although it’s hard to top the cookie story in this one.

One area that Seejay might consider at some point is advising nonprofits on information security for child protection. In my field there are always problems with people getting into photo databases and case histories to access images and information about children we’ve worked with. Awful but sadly an ongoing issue.

A lot of nonprofits are very weak on IT security, and may not know how to track who’s been trying to look at things they’re not authorised to see. My organisation had a great training scheme to help us notice odd behaviour among staff and volunteers. They would also bring in IT experts to trace unauthorised file access, but I’m not sure that other nonprofits in the field were so well up on things.

That’s really interesting- non-profits probably have access to loads of data that these types are interested in, totally not something I’d ever thought about. Good that your organization is watching its back!

In a similar vein, internal investigations for a healthcare organization might be satisfying without hitting the same emotional buttons. Any medium to large sized healthcare organization will put a lot of time and money into HIPAA compliance and investigating HIPAA breaches. That usually means an employee doing something they’re not supposed to with a client’s personal medical information – anything from emailing information to a personal account so they can work on it at home (big no-no!) to nosing through the records of an acquaintance who happens to also be a client, to identity theft. The most common one I saw was employees falling for a phishing email, and then someone gets to sort through their entire email backlog for client data that may have been compromised. You’re protecting average people as well as the organization (many of which are non-profit as well), and there’s little to no emotional demands. And HIPAA law is shockingly understandable and reasonable.

At the financial institute, we had *employees* that would look up famous peoples’ financial data for fun and that would flag alerts (that was fun to investigate and then have to call them in on), and then the number of high up employees that would fall for phishing and nigerian scams were mind-boggling. Apparently the higher up you are, the smarter you think you are and the more likely you are to fall for phishing scams, thinking you’re too smart to fall for something that obvious.

Yeah, it’s true. It didn’t help where I worked that the higher-ups were also generally older and not particularly computer literate. If a thing told them to click here and put in their password, they clicked and put in their password. *headdesk* We praised people HEAVILY for calling us when they were suspicious, especially when it turned out to be something innocuous. I’d rather get a hundred false alarms than do one clean-up.

I can see that for the employees. They love gossip as much as everyone else, it’s easy to see public figures as fair game (they’re not), and to tell yourself you’re not doing any harm. That kind of thinking is why places have security refreshers to tell people what they already know and remind them it’s important.

And yeah, scammers love confident people, confident people don’t keep their guard up. The trick in phishing is like forgery:and other scams is you don’t focus on a perfect cover, you hit them when they’re not looking too hard. Catch someone on a slow day just before closing when they’re just acting on impulse (or at peak times on a busy day, same effect), ask for something they’re used to handing over easily, and you can get it even if you said you were the Prime Minister of Candyland.

Ha, I confess I once looked up the customer profile for a famous former athlete whose retirement plan my company managed. It was much less salacious than I’d be hoping (although I don’t know what I expected to see on a 401k account that would be interesting aside from a high balance, which he did have).

Nah, you need to be licensed and I’m not anymore. Plus my certifications are all expired at this point. I sometimes investigate and explore and identify people for fun and to keep my skills up, and also to preemptively protect myself (like the guy that started creeping on me in a video game, I dug up his real identity in about two minutes flat and stored it away in case he escalated and I’d need it), but for the most part, it’s not something I do professionally anymore.

This is great! Just throwing this out there after listening to Alison on the PopTea podcast, I would totally be first in line for an AAM podcast? I would love to have gotten to listen to this interview as well!

In a sense, I knew how incredibly dumb people could be with their security, with decisions they’d make…

I had a retired FBI fraud investigator teach an accounting course for us once a year on fraud examination. He used to tell all kinds of stories about the dumb things people would do, like paying for their personal car insurance with a company credit card. I was continually amazed what people thought they could get away with.

He worked for a time with the State university system at a very well known university. The State has very, very strict rules on State credit card usage. But still, people used them to buy all kinds of things. If I remember correctly, one person used State money to put in a pool at her house, but I don’t recall if it was with a credit card or another approach.

I’m of course not going to share any details, but one time, I had to tell a coworker, “you do realize that this counts as embezzling and if you get caught, you’ll be a felon and have to pay back treble damages, right?”

I wasn’t trained in the check fraud, but I had one of my coworkers show me a check that had come through and someone had actually cashed a check that had been filled out with an old school typewriter… as in the printed information on the check had been. In three different fonts. That check passed through three different people and no one flagged it as fake until it finally bounced. I took one look at it and asked “why did no one look at this and say that something was wrong??? IT LOOKS BAD.” And yet I had no training in spotting bad checks.

I do think there’s a weird psychology where sometimes if something looks SO wrong, you loop back around to thinking it must be legit and just a weird exception to the norm, because surely no one would think they could get away with such a bad fake. It’s almost more obvious when someone was clearly trying to make it look real and did a bad job than when someone didn’t even try.

My favorite stupid embezzlement story I’ve heard (second hand so the details are vague): An executive assistant had a reputation for baking these wonderful extravagant cakes. For years she would bring them in for work events, bake them for coworkers weddings, etc. Eventually she left the company. Shortly after, the company received a bill from a bakery…for over $20,000. Turns out she had been using her access to the company credit cards to buy all these fancy cakes and pass them off as her own. Somehow thought it would never get back to her.

Some people are really, really stupid. Last weekend I was talking to a guy working at Bass Pro Shop, and he’s actually had real felons answer yes to the ‘are you a felon’ question on the firearm background check. I guess it catches some people?

But it’s not just stupidity. People just have no idea how not to incriminate themselves, and they indulge in all kinds of magical thinking – “Oh, surely the police will never think to search my back yard shed, that’s where I’ll stash the hookers!”

Ha, that reminds me of a story my sister told me. She was taking a psych class in undergrad that had a police officer come in and talk about interrogation techniques. She was just thinking, “oh, this is so useful, I’ll totally never talk now” and then the officer turned to her and started asking her questions. Almost without thinking she answered. Everyone giggled (including her, as soon as she had her OH CRAP moment) and then class went on.

When she told me about it she was like, “I thought I was so smooth but I SANG LIKE A BIRD omg.” Even when you’re literally being told about people just spontaneously telling the police stuff they don’t need to mention, it is apparently really difficult not to answer a direct question when you’re socially accustomed to doing it.

I’ll never forget the time I applied for a US visa and one of the questions on the form was “Do you intend to commit terrorist acts while in the USA?” I looked at my dad with a shocked face and he said, totally deadpan: “That’s to weed out the dumb terrorists.”

There was a case where someone literally accidentally ticked the wrong box for their like 15 month old baby. It took weeks to figure out how to fix it and continue their trip to the US. It was in the news like a week or two ago.

2 companies ago I had just started working at a company where a gentleman was recently fired for using company funds to buy about $200,000 worth of stuff for himself. And of course that was what he was caught for. Other employees were known to use cards to buy materials for work, to then turn around and return them for cash at places that allowed that. Also, people would steal old equipment and recyclables to sell and pocket to cash for. It was a pretty toxic place, as you can imagine.

The best part though is that all the satellite plants kept recycling these people. Upper and executive management would change so much, other plants just would go with the stories the fired employees would give them about being taken down by politics! This one guy, who excelled at all kinds of nonsense, was fired and rehired by the company something like 6 times over 40 years! he would get fired for stealing, or for getting the company sued for discriminating during hiring, or whatever. And then management at the top hire him would change, some idiot would get promoted at a plant to manager and would hire the guy back. If he wasn’t such a truly awful human being in every way, it would have been impressive!

In one of my information security classes, the instructor told us we would be going dumpster diving. He said people throw away all kinds of secure information and we would be surprised as what we find. Sure enough, we found bank records for one person, and another who threw away something with their SSN on it.

I remembered that incident when I was cleaning up and found old paystubs with my SSN as my employee ID. I promptly shredded them through the cross-shredder.

In the PI company, some of the investigators would grab garbage bags from out front of target’s houses and go through them in the office to look for documents. Most of the time they’d find papers that were either not shredded or were torn into two to four pieces so the information was pretty easy to find, which is how we’d get a lot of evidence. Occasionally we’d get straight shredded stuff and even that, they’d spend hours piecing it back together. Cross-shred though was a guarantee they weren’t going to bother.

I remember someone telling a story about a cross cut shredded document being painstakingly put back together and used as evidence only to have it thrown out when the judge ruled there was a reasonable expectation of the document not being recoverable.

When I was in college SSN was what they used for your student ID number. We were all carrying around ID cards with our SSN’s in huge type across the front, along with our photos and full names. This was in the late 90’s — I believe they changed it shortly after I graduated, but it’s kind of shocking it took that long.

My grad school alma mater was still using SSN’s as student ID numbers in the early 00’s. I threw out a few boxes of old papers from grad school recently, and I saw rosters from classes I TA’d with my students’ names and SSN’s. It would have been a gold mine for an ID thief, and I can’t believe the university was so cavalier about exposing students’ SSN’s so recently.

I worked for a company many years where a couple of people were fired (and maybe charged with fraud or theft, I can’t remember).

They had started their own office supplies company, and got it added to the approved suppliers list (they were in procurement so it was easy for them to do that and they probably also had visibility of the weak points in the system).

The company really did provide office supplies, but one of every few orders would mysteriously disappear. The excuse was always that “it must have been delivered to the wrong building”, which was reasonably plausible because we worked from multiple buildings in the same area.

Huh. I had a company card once. I paid the bills on it myself. It was basically just a credit card with the company’s logo on it. And I think it was somehow linked to the expense report system so you didn’t have to send them separate documents to verify the expense. I used it for personal things once or twice by mistake or when there was an issue with my personal card. No big deal. I just didn’t file an expense report and didn’t get reimbursed.

I had to laugh at the last sentence – “I think that’s probably the biggest thing that burned me out, having to deal with people lashing out at me when they’d asked for help, but then didn’t want to follow the advice I’d given them because they didn’t like what they’d heard.”

This could apply to SO MANY JOBS! Including writing a workplace advice column! :)

I’ll admit, some of the advice is *hard to swallow*. People don’t like to be told to change what they’re doing when it sounds like they’re being blamed for what’s going on, or when it sounds like it’s letting the harasser get away with what they’re doing. A lot of the times, they want justice or to make the harasser pay or to at least go away so they can continue doing what they enjoy. Why should they have to make the changes and suffer and let the harasser get away with it? It’s tough to tell someone that they have to suck it up and let the harasser “win” in that sense. The last time I got accused of victim-blaming, I threw up my hands and gave up.

Having been on the receiving end of harassment, I get it, it’s hard to hear that type of advice, but having witnessed the results and the patterns, in most cases it’s the best method of handling it. It’s not always the solution, since each case can differ, but for most of them, it’s usually the answer, but it’s not the answer people want. :(

I have a question. What about people who don’t really have the option of going dark? Or would suffer a lot of career damage from it? Writers, entertainers, executives, politicians – anyone who needs to be in the public eye to some extent as part of their work. Did you ever work with a client who was in that kind of situation? If so, what did they do?

Yeah, those cases are definitely more difficult because you can’t tell someone who’s made their business or livelihood out of being in the public spotlight to disappear. Someone like AAM can’t shut down their website or shut down the comments or put them on filter or change their email address when it has to be public (and that’s just looking at smaller public figures, not big time ones).

I never had to deal with really big public figures, but I did handle a few cases for people that had to maintain a public internet presence and doing any sort of disappearing act online would cause financial hardship (one case was for a cam girl / cybersex operator who had acquired a stalker and he’d show up in whatever channels she used to advertise her services in and then he’d harass her and any clients that talked to her). 15 years ago, there wasn’t a lot of good software that allowed users to control interactions with people so they couldn’t do much more than ban by screen name, which was easy to get around. Newer tools allow banning by IP address, which helps a bit. Requiring registration for users is another step to prevent anonymous users from just joining willy nilly.

Of course, we also encouraged people who had to do online work to hide their real identity as much as possible if necessary (especially in sex work) and if they needed to use their real name, make sure they kept their address/location a well-guarded secret. This would mean a post office box, Google voice number, unlisted address, etc. There are ways to dig this information up but if you take steps to make sure it’s hidden first, it at least forces people to make more effort instead of just googling it in the white pages.

For anyone that’s far more famous and in the public spotlight, that was way over my paygrade. The cyberstalking stuff I did was volunteer only, so anything that got serious enough to warrant more than avoidance, reporting to ISPs and anything I could do from my home and computer, I’d recommend someone having to invest in legal experts unfortunately. :( There’s lawyers and PIs with tools and security measures far greater than I could ever hope to muster up.

This was a fascinating read. I’ve occasionally been super curious about a job like this and have done similar stuff that is very vaguely like (only looking for publicly available information, whatever was on social media accounts that was publicly available and visible, no hacking or lot of tech involved) it. Good to hear an insider’s view. Thanks for the interview!

Great interview! Back in the 90s, my grandma would do some small jobs for a PI. She’d go into court houses and city offices and finagle records from the secretaries. She said the secretaries hated the ex-cops who were PIs, but were happy to help a polite, slightly confused senior citizen. Lol.

As a librarian, I’d probably be pretty good at the mundane things. The exciting 10%? All the nopes.

Apparently my grandma used to say she’d make a great spy for this exact reason. However, seeing how much my mom visibly/audibly enjoys feeling *super super sneaky* and how much I’m starting to inherit that exact same trait, I’m…pretty sure we get that from her. I feel comfortable asserting we’d all make terrible spies because the cackling would give us away.

That was an awesome interview, thank you so much Seejay and Alison for this unique little article!

“everyone knows how to use a search engine but it’s a talent to know how to search well”
Don’t I know it. For some reason, my 62 year old mother, who only learned how to use a computer a few years ago and still can’t really do much of anything with it outside of the internet, is an absolute magician when it comes to searching for things. She’s completely relentless and has managed to dig up the most obscure, hidden-to-any-normal-person information you could think of, drawn conclusions and unveiled conspiracy-like happenings, just by somehow operating search enignes better than literally anyone amongst my family and friends. It’s amazing.

My sister is like this too. Some years ago we had to track down a former friend of my former MIL. The friend had been in prison and we discovered some documents of his that he left with her for safekeeping. I tried all the searches I could think of and came up at a loss. I called my sister, and in an hour she called me back with an address.

I have multiple stories like that about her, that’s just the most impressive one.

I’d actually love to see a series of these, not just as interesting jobs but windows into fields few people know about. I’d love to hear more about the Machiavellian antics our resident librarians have regaled us about in their field, for example.

This is so good, but also kind of sad.
Beginning of the article – [the police were] telling me to “stay off the internet.” I also was told to change my email address ..
Advice to people with cyber stalkers – For most common every day users, what I would have advised was essentially “disappearing” off the Internet: change your email address…

Ten years of work and study and experience and her advice isn’t that far off of what she was advised of originally. I hope your grad school goes well, and thank you for helping all the people you did.

The thing is, there’s ways to hide now that allow you to still stay online without unplugging.

What I was told in the 90s was only to unplug and stay off the Internet. Change my email address and not ever go to places I knew and socialized again. It was a simple solution with no alternatives.

The advice I would give now is much different, while a bit similar. I wouldn’t advise someone to stay off the internet, but does include changing some habits. Of course you do have to change some things if you get targeted, because unfortunately you would have to… you need to make yourself less of a target, remove the temptation and what makes it easy for a stalker to find you. But if they can’t find you because you’ve changed your identity by changing your email address, having a secondary email address that’s a throwaway address that doesn’t relate to you, changing a screen name in the places you socialize, locking down your security settings, minimizing the ways your stalker/harasser can see you, without actually removing yourself from the internet, it can cut down on the harassment.

Depending on the type of harassment and the reasons behind it, some harassers are out there looking for a response and reaction. If you don’t give it to them, they’ll move on to someone else. Of course, this isn’t a one-size-fits-all answer, but it’s the start.

Terminology question – you mention focusing on “satellite hacking and piracy”. In this context does satellite mean literal communications satellites, or something else? Because if we’re talking about actual space piracy, I want to know more. A lot more.

Oh, it means satellite tv, as in DirecTV, Bell ExpressVU and Dish Network. At the time (I’m not sure how it is anymore) there was software and hardware to hack the cards so you could either get free satellite tv or acquire it in a country where it wasn’t legally purchasable (also known as grey market satellite). Every so often, the providers would come up with new encryption techniques that would break all the cards and then someone would decrypt and hack the signal again and new hacked software would be released so people would buy the software again. Some of the hardware wasn’t illegal (like card readers) but people would buy it from the sites because it was cheaper and occasionally get caught up in the busts (they would claim they weren’t buying anything illegal, just the card readers, but I’m pretty sure they were just saying that).

Space piracy is a thing, though. There are lots of surveillance satellites that hostile actors want access to, of course, but you also get people trying to disrupt GPS and communication birds as, like, space terrorism. And then people want to take control of satellites so they can demand ransom, or to crash them into other things. It doesn’t happen a whole lot, afaik, but you do need a security plan when you’re designing a space mission.

Thank you so much for doing this, every bit of it is fascinating, including the parts about how boring this stuff can be!

As an archivist, I experience digital forensics through the lens of analyzing and preserving records for potential researchers. A lot of the stuff that is the bread-and-butter of criminal investigation can be considered ethically off-limits for us (e.g. analyzing deleted files or browser history — though everything is context-dependent). However, digital records and paper records are both alike in that it’s amazing what people will unthinkingly leave mixed in with their files, where anyone accessing them can see them. One of my favorite was a lighting designer leaving his sex diary in with his lighting plots and other tour files — this was stored on the computers of the company he worked for, not in his personal papers.

We had seized a satellite pirate’s computer in a bust and I was going through it for deleted files and other software and I stumbled across a set of dirty photos of him and his girlfriend having sex. I was like :O ok, let’s skip past that really quick now nothing to see here moving on.

I made a decision about 10 years ago to follow someone to the US and it was easier to get into software engineering at the time since I needed to find work quickly and forensics was a more niche field. I wound up back doing development which is where I’ve been for 10 years now and as a result my certifications are expired and my skillset is pretty rusty and outdated. :/ I’d love to get back into it, but I’d probably need to start over, get recertified and retrained in the updated software and I’d probably be limited in what areas I could work in (non-citizens can’t work in some areas of the the public sector for example, such as law enforcement, which is one area I *would* like to be in, so I’d have to move back to my home country if I wanted to do that).

Previous job was verrrry similar to this. I not only merged duplicated medical records in the software systems our health care organization used, but had to fix or pull apart mixed records in the same software systems. The way Jay See described how she searched for things and what she searched for was very similar to what we did to verify a medical record belonged to a certain patient. I’m also extremely familiar with that adrenaline rush you got when just that one small piece of evidence locked everything into place.

This sounds utterly fascinating to me. I’m a regular old-fashioned web developer, but I’ve always had an interest in forensics (and occasionally go on binges of public-record-diving–it’s shocking how much personal info is out there if you know where to look).

I know you’ve been out of the field for awhile, but I’m pretty interested in learning more. Do you know of any organizations I could look into?

CISSP training and InfoSec training are two areas that you could look into. I was EnCase certified originally, which is another software application that’s used in the field (or at least was). isc2.org has a lot of information there too for cybersecurity training. Once you get certified, there’s a bunch of different fields you could look into, from just doing IT security as a sysadmin to actually investigations and forensics within law enforcement.

This was a wonderful read. Thanks to both Alison for doing this and to seejay for *trying* to help people when they want to do everything wrong! When I was in retail I used to get yelled at on a regular basis because someone would call in and want to buy hundreds of dollars or more on product, then said “and I’m going to get my friend so and so to pick it up.” Ummmmmm…. no. So I’d explain that phone orders with credit cards are fine, but the owner of the card had to come in with ID in order to pick up the product. “I don’t have to do that I’ll just fax you my signature saying it’s okay!” Um, NO. Explain again. This is for their own protection, anybody could call in and SAY they were them and thus the rule, etc. Cue yelling. Cue me just stonewalling them because this is also for the company’s protection, for obvious reasons, and just because they’re happy not looking out for their own interests doesn’t mean I was going to drop my concern for ours. I got *so tired* of being yelled at for protecting *their* money, credit and identity, though. Sometimes I really wanted to snap “YOU’RE WELCOME ANYWAY!” and hang up.

Yep, so often people don’t realize that what you’re doing that might inconvenience them is *also* for their protection. It’s hard, it might not be what they want to hear, but boy oh boy when it doesn’t work out in their favour when you break the rules and they do get screwed, they’ll be yelling even louder. :/ It’s a horrid double-edged sword. Rules are there for a reason, even if they’re inconvenient and look like they suck.

Cool interview! My husband is a PI but mostly works with insurance companies on potential fraud. You know, Person says they hurt their back at work and are debilitated by the injury, yet he catches them on video digging in their garden or doing heavy lifting or whatever. He says mostly it’s sitting in a hot car staring at front doors, haha!

yes, we had investigators who specialized in insurance fraud too and they had to do the “sit in a hot car and watch for potential activity”. One of our guys got burned one day when following a mark and the guy came out, confronted him, he denied what he was doing (which is what they’re supposed to do) and wound up getting punched in the face for it. I think we wound up pressing charges for assault (ie, don’t assault strangers, even if you think they’re following you, unless they pose some sort of immediate threat).

Oh my! Husband has been stopped by the cops a few times because of nosy neighbors (shows his license and they’re pretty much “okay, have a good day”), but at least hasn’t been assaulted! The only time a mark caught on was a super rural area with no good place to set up surveillance. The woman was outside talking with her neighbor and both started to wave at Husband. Then neighbor goes and gets his gun (we live in a conceal carry state) under the pretext of showing it off to the mark. Obvious gesturing with the gun towards Husband’s car, and he drove out as soon as he could.

I enjoy these interviews very much, it’s always both fun and educational to read about different industries and people’s experiences. Thanks to Alison for doing this, and to seejay for the great interview.

I’ve dealt with some stalking, offline and online. I now follow this protocol:

1. Ignore all communication from them and see if they stop. Document everything.
2. If they escalate despite my ignoring them, I respond once and ask that they never contact me again. Document everything.
3. If they continue, document it and don’t respond. Be prepared to file for a restraining order. If they make any threats, show the evidence of it to a police officer. Get a case number.

I’ve also gotten better at avoiding being a target. A few things that have helped for me (not necessarily applicable to everyone):

Cutting off contact early when someone begins acting creepy. Trusting my instincts more in that area. There can be a tendency to give people lots of chances and withhold judgment. I’ve learned to be judgmental.

Keeping a low profile online and avoiding any online drama.

Being more upfront in my communications and how I present myself. Being candid about anything about myself that might seem weird. Coming across as strong and confident. It might just be me, but a lot of stalkers I’ve met have been drawn to people who act avoidant or seem to be hiding something. Or who seem lonely. I’ve learned to have better boundaries so I won’t come across as needy and/or vulnerable.

*These were all people whose identities were known to me. I’ve never had an anonymous stalker. Just former friends, exes and acquaintances who engaged in a lot of unwanted contact after I severed the relationship.

“I think that’s probably the biggest thing that burned me out, having to deal with people lashing out at me when they’d asked for help, but then didn’t want to follow the advice I’d given them because they didn’t like what they’d heard.”

In any profession where you work to provide a service to others burnout inevitably happens in my opinion, even in therapy where they pay you for your skills and expertise, they still fight you every step of the way. It used to annoy me to no end, but people have to accept their habits and patterns are not working before they can move on. And it is not as easy as just saying it, they still have to go through the Five Stages of Grief: denial, anger, bargaining, depression and acceptance.
In 1969 Elizabeth Kubler-Ross described five stages of grief in her book “On Death and Dying”. These stages represent the normal range of feelings people experience when dealing with change in their own lives or in the workplace. If you have assisted someone with an issue and everything you have told them about how it happened and what they need to do to fix it is met with denial and anger, then all you can do is step back and let it go as they are not yet able to hear you. At this point, you need to take care of yourself and let it go, otherwise it will eat you alive. And I have to tell you, this is really hard to learn when you are a giving, caring person.

All that said, I really enjoyed reading about this. I wish I had more of an idea as to how to stay invisible online.

Reason #87 not to bring homebaked goods to work: you’ll end up on the list of suspects when the machine-part formed cookies are being investigated.

I’m imagining the Criminal Minds team giving their profile: “OK, based on the eviden–mmm, crunch–ce, we believe the unsub has a predilection for using sugar substitute and dark — is that dark or milk chocolate? — yes, dark chips.” Coworker: “If there’s a dash of ground cloves, then it’s… Susan!”

This is fascinating because I had a FaceTime stalker and I didn’t know for sure he actually meant to be contacting me. He knew my name but I had no idea if he was contacting me through phone number or email, and my email is so generic that I get a lot of random messages from legitimate people too. I had no idea where to turn. It wasn’t scary but I couldn’t block his FaceTime calls then (before Apple added the feature).